Your message dated Sun, 14 Sep 2025 11:41:55 +0000
with message-id <[email protected]>
and subject line Bug#1109860: fixed in libssh 0.11.3-1
has caused the Debian Bug report #1109860,
regarding libssh: CVE-2025-8114
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109860: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109860
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libssh
Version: 0.11.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libssh.
CVE-2025-8114[0]:
| A flaw was found in libssh, a library that implements the SSH
| protocol. When calculating the session ID during the key exchange
| (KEX) process, an allocation failure in cryptographic functions may
| lead to a NULL pointer dereference. This issue can cause the client
| or server to crash.
At time of this writing I only have found the main reference as the
bugzilla entry from Red Hat.
https://www.libssh.org/security/advisories/ did not yet contain an
advisory for it. Can you maybe ask back to upstream?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-8114
https://www.cve.org/CVERecord?id=CVE-2025-8114
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2383220
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libssh
Source-Version: 0.11.3-1
Done: Martin Pitt <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Pitt <[email protected]> (supplier of updated libssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 14 Sep 2025 09:54:50 +0200
Source: libssh
Architecture: source
Version: 0.11.3-1
Distribution: unstable
Urgency: medium
Maintainer: Laurent Bigonville <[email protected]>
Changed-By: Martin Pitt <[email protected]>
Closes: 1109860 1114859
Changes:
libssh (0.11.3-1) unstable; urgency=medium
.
* New upstream security/bug fix release:
- CVE-2025-8114: Fix NULL pointer dereference after allocation failure
(Closes: #1109860)
- CVE-2025-8277: Fix memory leak of ephemeral key pair during repeated
wrong KEX (Closes: #1114859)
- Potential use-after-free when send() fails during key exchange
- Fix possible timeout during KEX if client sends authentication too early
- Cleanup OpenSSL PKCS#11 provider when loaded
- Zeroize buffers containing private key blobs during export
Checksums-Sha1:
5c54024a2835252b54fc1d6dd9aa91bfdfb395c6 2583 libssh_0.11.3-1.dsc
50e1cdc6629ab76a9efa282551c990ebed451b7c 622776 libssh_0.11.3.orig.tar.xz
e4d9b4b1557b1b1a470a0e18edbfda4a8f3c01c1 833 libssh_0.11.3.orig.tar.xz.asc
c5eb28b68962eaa1ad2630651d885fa9f0843995 31520 libssh_0.11.3-1.debian.tar.xz
8d73d648ac15741d1f6f809cede1956f5f6011e1 7659 libssh_0.11.3-1_source.buildinfo
Checksums-Sha256:
92b0d2a6aef3a2431d2121ffc790e90a1006e7dff6eee7bf9def9db8cf61b9ec 2583
libssh_0.11.3-1.dsc
7d8a1361bb094ec3f511964e78a5a4dba689b5986e112afabe4f4d0d6c6125c3 622776
libssh_0.11.3.orig.tar.xz
2710f8785d21717097ee042884683ea14dd1be95c77d64e940ef7e58a9c8ca88 833
libssh_0.11.3.orig.tar.xz.asc
7e2702135ef710ebdeb5bffbf41afcf3422135da8cf427fbe7ce9f5674f5e84e 31520
libssh_0.11.3-1.debian.tar.xz
5cad6292254cd90e835f3c148a7c513f5c63e007e4451ff20495bae156bbd602 7659
libssh_0.11.3-1_source.buildinfo
Files:
569b2afa4783fec7738b82361c657dfd 2583 libs optional libssh_0.11.3-1.dsc
b55bad6ad6fd6b1e191fbb495adcfe40 622776 libs optional libssh_0.11.3.orig.tar.xz
72d66ac3fac1b7df2782a13d619ea7c7 833 libs optional
libssh_0.11.3.orig.tar.xz.asc
c2c8615870e5f8d3f5b7ea9e75b9db16 31520 libs optional
libssh_0.11.3-1.debian.tar.xz
35b44f6791b3af37c477073923b5ec1a 7659 libs optional
libssh_0.11.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEbEuHi35jHxYFV8PN7nvd5LhrVxMFAmjGde0ACgkQ7nvd5Lhr
VxMSIw/+JT5I5Ti7RLcCSQx2TcuhBZk+aCkrtsFP/LUJ2yY7pkmZkt/IU81nrh5X
luAoxiOUWL8BnuHZvO8sBflJuBDF4FO/fobYPf+Xmflv0Pa+Yu19Ow5Veq9HqiwZ
C5xY9+Ltr0+lxOlRpbr4JVcK0H5uhZQp1uxiKa0CgZKpGbq2lz7/ZLn3YMk5m0Vy
IyMDWRDIt8ZEBW3FWN8zfVgQTOYas8APEiCjWbtHPdHwbblEVxKQvTmtTDN/UbOE
mKz8uS1cJkEFySMbvGfefODgCfztNLUf8H/0b57UD7A/S89dU/shZQVpvJp8Jt/o
A5JdHNUyklgDJRxRgjfG4wfEUK/VV8FFQ4r2EukF7fGDw36I225IRqZVwNQjyIG0
jvNzZvkGiUKg9M67/yZlGtW6+6IV13gXm3/kv7TucpivNLpamh6xagI2nmvjiiI7
bQWOovo3WfqyhkuJGNmrYHzp57yEO0x2Ax6ojoV4mag2VctbHgHlhjFam+cKXJgL
No3aIivrXel+msjSX38elUo6K+4C22Z7DahRctdTFt2TSzd76VJnJTV24HK8/1h6
bpWeY2jS3kTUI9s9mkfIkvSTWhVZt7RDGCsQ1Jjc61Noqal3AgnY3idKQeCNAL9o
AM/x5M+xUkKuRwtDmXgX88SB75UJRdxUq5BCjM9xAjIS0JEV0fo=
=hpY9
-----END PGP SIGNATURE-----
pgpjZ6d_z1w7V.pgp
Description: PGP signature
--- End Message ---
